Firefox and cross domain ajax calls

[sameergn]

We have a script at http://localhost:8080/a.html which loads
http://localhost:8081/b.js using script tag. A button defined in
a.html invokes a function from b.js. The function makes AJAX call to
http://localhost:8081/c.html

Firefox 3.5.5 allows the call to c.html. It can be seen in Firebug and
Tamper data plugins. The response code in these plugins is 200. But in
AJAX callback the response code is 0 when readyState becomes 4 and
responseText is blank.

Same behavior in Chrome. IE7 shows "Access is Denied" error. IE8
executes fine and response code is 200 in AJAX callback and
responseText is properly set. All browsers are on Windows XP.

We believe this is not a cross domain issue. b.js is loaded from
localhost:8081 and fetching a resource on same server using AJAX. FF
3.5.5 does not show any error in Error Console, allows the AJAX call
and even gets a 200 response code and content length is also set
properly as seen in Tamper Data. Not sure why it returns 0 as response
code and sets responseText to blank.

Anybody faced similar issue?

Thanks,
Sameer

 

[John G Harris]

On Mon, 23 Nov 2009 at 09:57:10, in comp.lang.javascript,

We have a script at http://localhost:8080/a.html which loads
http://localhost:8081/b.js using script tag.

<snip>

It's not a script tag. This is a script tag :
<SCRIPT type="text/javascript">

You meant a script element, something that follows this pattern :
<SCRIPT ...> ... </SCRIPT>

John

 

[sameergn]

  <snip>

It's not a script tag. This is a script tag :
  <SCRIPT type="text/javascript">

You meant a script element, something that follows this pattern :
  <SCRIPT ...>  ...  </SCRIPT>

  John

@John Harris: Yes, We are loading javascript using <SCRIPT type="text/
javascript"> tag.
@Duncan Booth: I am going through the page you forwarded. Will take
some time to do that.

BTW, We thought this scenario is similar to Google Maps API.

Website A sends html to user’s browser. That page loads script from
Google site.
Website A invokes functions from Google API code which in turn makes
AJAX calls to Google site to fetch map images.

It is also similar to old applet model where applet could come from
different domain but it could initiate connections back to only that
domain.

 

[Richard Maher]

It is also similar to old applet model where applet could come from
different domain but it could initiate connections back to only that
domain.

Absolutely nothin' "old" about it! Except in as far as it is now beautifully
augmented by cross-domain policy files a la mode de Flex/Silverlight.
Same-Origin works and works bloody well.

Cheers Richard Maher

 

[sameergn]

It is a cross domain issue. The calling page ishttp://localhost:8080which
is a different domain thanhttp://localhost:8081(the protocol and port
number both matter here).

It doesn't matter that you loaded the b.js from the same domain as the
page you are trying to access from Javascript: it's the domain of the page
a.html that matters.

If you want to know why Firefox sends the request even though it is cross-
domain readhttps://developer.mozilla.org/en/HTTP_access_control

Understood the purpose of sending the request; To send 'Origin:'
header and to check the 'Access-Control-Allow-Origin:' response
header.

 

[Thomas 'PointedEars' Lahn]

We have a script at http://localhost:8080/a.html which loads
http://localhost:8081/b.js using script tag. A button defined in
a.html invokes a function from b.js. The function makes AJAX call to
http://localhost:8081/c.html

You should review your notions of the existence of a "script tag" and an
"AJAX call".

[...] But in AJAX callback the response code is 0

You mean the response _status_ code? But `0' does not indicate success
(except with `file://' where it is a pseudo-request); 200 does. Review your
HTTP knowledge (among other things).

when readyState becomes 4

So the response was fully received.

and responseText is blank.

Same behavior in Chrome. IE7 shows "Access is Denied" error.

Works as designed, see below.

IE8 executes fine and response code is 200 in AJAX callback and
responseText is properly set.

Looks like a security leak not fixed, or a DNS-resolution based instead of a
hostname-based SOP implementation (which is flawed, of course), or a library
working around.

We believe this is not a cross domain issue.

Strictly speaking, it is not. However:

b.js is loaded from localhost:8081 and fetching a resource on same server
using AJAX.

It is a same-origin issue. To meet the Same Origin Policy, the resource
requested must be accessed with the same protocol, host name, *and* port as
the requesting resource.

URI of requesting resource: http://localhost:8080/a.html
URI of requested resource: http://localhost:8081/c.html

You will notice that the URI of the script that makes the XHR does not
matter as long as it (the script) is requested through conventional means
(here: `script' element). IOW: 8080 != 8081, SOP not met, access denied.

FF 3.5.5 does not show any error in Error Console,

I can confirm that for Iceweasel 3.5.5 and Firebug 1.4X.5.

allows the AJAX call

That term again ...

and even gets a 200 response code and content length is also set
properly as seen in Tamper Data. Not sure why it returns 0 as response
code and sets responseText to blank.

Security measure. But you have already seen that it is at the discretion of
the implementation how to handle this case. Some throw exceptions, others
do not.

Anybody faced similar issue?

Plenty of people, and solutions have been posted even in greater numbers.
If you only had bothered to RTFM, STFW or STFFAQ before you posted ...

<http://jibbering.com/faq/#posting>


PointedEars